A Bantu in My Bathroom

Before reading the book, I had never heard of Eusebius McKaiser, whose profile on the cover is described as "popular radio talk show host". I am not sure why I picked it up at the bookshop (I think it was the title); but I was hooked on the writing. 

It is a collection of essays on a number of topics in the modern South Africa; spanning race, sexuality and culture - opening up some rather uncomfortable topics; and discussing them in a clear but powerful way. The essay on why legal right is not necessarily morally right (from the title essay), and why affirmative action is just; were the two highlights - but every esssay has something interesting and thought provoking; and a collection that everyone should read.

Finale - JPO's 4th 2012 Season 6th Concert

The final week of the 2012 season, started on a very emotional note; as one of the orchestra members made a short speech on the hardships of playing without being paid; and why they continued to do so. It was a stark reminder, that this could very well be the last ever concert; not just the last of the season. It ended up being one of the most enjoyable JPO concerts I have been to - it seemed like every orchestra member was there to play their part; and played with their hearts. It was not only the music selection; the performance itself was at a different level.

The concert started with a short piece - Glinka's Overture of his opera Russlan and Ludmilla. It was an upbeat, fun piece; something to push back the very somber cloud of the orchestra. Following the overture, was Saint-Saëns' Second Piano Concerto, played very flamboyantly by Israeli-American Inon Barnatan. The concerto was amazing - in the showcase of the piano as an instrument, the orchestra and the performance itself. It was the perfect mix for the evening - the dark and somber was equally contrasted with the very playful and upbeat. It was a performance thoroughly deserving of the standing ovation. He did a very interesting encore with Debussy's Clair de Lune, which was equally well received.

The symphony for the evening was Dvořák's amazing 9^th Symphony (From the New World). I have heard the JPO perform it before; and I have heard various movements on the radio - but tonight's performance was something special. Every musician seemed to make some kind of a special effort; there was some thing extra - hard to know; but easy to feel. It was one of the best performances that I have ever attended; and it got a very well deserved standing ovation.

I really hope that the JPO survives, and the music continues. And there is at least one concert left (tomorrow 15 Nov); and I saw an advert from a Christmas concert featuring the orchestra at the end of the month. But if, for whatever reason it doesn't survive; it can hold its head up high that it went out with one of its best performances.

Movie: Flowers of War

The multi-lingual movie is set just after the fall of Nanking, during the China-Japan war in 1937 - what would be later called the "Rape of Nanking". Starring Christian Bale (who also starred in another China-Japan war, Empire of the Sun), who plays a drunk mortician stuck in a cathedral with some convent school girls and some prostitutes; as the horror of the war overtakes everything. It is ultimately a movie about sacrifice; but it is a brutal yet visually stunning showcase of the horrors of war. It is brutally effective - particularly because this is not a story told from the perspective of a soldier; or even that of the mortician - but rather a surviving school girl; and the movie catches the story teller's innocence, determination, terror, and ultimately appreciation and love for her saviours perfectly.

Somber - JPO's 4th 2012 Season 4th Concert

There were hints last week that the JPO may be in financial difficulties were evident last week - half full concert hall, the cancellation of the guest conductor, the change in an earlier published program due to the costs associated with a particular piece and a downsized orchestra itself during the performance.

Last night's concert started with a somber message, on the extent of the orchestra's financial distress. The orchestra had recently applied for business rescue; and the musicians hadn't been paid for 2 months. There is some hope for rescue; especially if the Lotto funding from previous few years is continued. In a tough economic climate, money is scarce, and thus the decline of audience numbers or donation support is somewhat understandable.

There is however a point to be made, on whether art should be sponsored purely for its form. Afterall, JPO has seemingly not been very successful in attracting a sustainable audience in Gauteng; and it can be argued that there are more popular artistic endeavors that should be supported in its place. And I would also argue that there are some challenges in the current operation of the JPO.

For example, a number of colleagues and friends are avid listeners to classical music. But they do not know when the concerts are on and some do not even know about the existence of the JPO itself. This is a failure of marketing; and this is something that needs to be addressed.

Next is the program itself. The bulk of the audience is retired, old people. The musical choices, while great classical pieces are hardly welcoming to a new, younger audience member. The program notes are written for the aficionado not someone who wants to experience a new art form. The atmosphere is stuffy, and although the people are friendly and welcoming - it is hardly the hip and happening event in town! I think there needs to be a greater variety and mix in the music itself - perhaps a few more contemporary orchestral music pieces - from movies or even pop/rock music. This does not mean that the classical pieces should disappear - just that there should be a lot more variety - something the Buskaid concerts have managed to do very well!

That said, the JPO is a good orchestra, an institution that deserves to be protected. Last night's concert was a perfect showcase of their skill and despite the somber nature of the announcement (and the music itself); it was one of the best programs I have attended.

The first piece of the evening was Sibelius' En Saga; which is a beautiful piece of music; although quite somber and even dark in places. In many respect it was a fitting start after the announcement, a sense of melancholy and sadness - but one showcasing impressive skill. The second piece, starring local piano maestro Ben Schoeman (another change in the prorgam due to the financial considerations, the visiting pianist from the USA did not perform), was Rachmaninov's Rhapsody on a Theme of Paganini. It is one of my favourite piano pieces - a showcase of piano and orchestra; and it was a masterful performance by both! Tchaikovsky's last symphony, No.6 (Pathétique), rounded off the evening. It was in many respects the encapsulation of the evening - a somber beginning, a joyous and rapturous middle, with a very dark and somber end.

The orchestra is a very large and expensive musical form - not only because of the skill and training required to form one; but the number of people required to participate and perform. It remains one of the pinnacles of musical performances; and the JPO is a good orchestra that is worth preserving. And I hope it does - but it will need to change in both how it markets itself; and evolve in the music it performs.

The (Honest) Truth about Dishonesty

Came across the YouTube video courtesy of the Schneier Blog, on dishonesty, Prof Dan Ariely. The talk, based on his book of the same name, makes the point that almost everyone makes decisions that have some good and some bad outcomes. However, when these outcomes have a biased incentive scheme (as in the case of bankers), the decision making process itself gets clouded; and the perceived reality is not the same as the actual reality. He also talks of some mechanisms that seem to help with "resetting" the compass - and the Catholic confession is used as an example. While he was going through the example, it occurred to me, that South Africa's Truth and Reconciliation process was very much a similar resetting process; and is perhaps one of the best, mass scale, examples of such a process. But this means, in theory, the persons who are only doing a "little bad", could be influenced to do a lot less "little bad", if such processes occurred regularly. Could such a simple idea be a building block for wider social change?

ZACON IV

The fourth iteration of the local hacker/security conference has grown even larger, and for a change it was not dominated by Sensepost talks (though this was not by design, just impact of the landscape and MWR seems to have taken over somewhat). I missed the bulk of the first talk (as I had some things to do in the morning), and the rest of the program was interesting. More details on the website.

As per previous conferences, ZACON was held once again at UJ's monstrous concrete jungle in Auckland Park. The lecture theatre was quite nice though, with impressive AV facilities. The demographic spread of ZACON is interesting; in terms of gender (the number of ladies in the room could be counted on one hand), age, race etc. There was a distinct lack of corporate guys; a pity in that the forum is great for knowledge sharing. I do know that there were students from UJ and UP, which does skew the demographics a bit.

I have only captured the talks I found interesting.

Glenn Wilkinson's talk mirrored a similar talk at RSA Europe, on exploiting WiFi AP search requests. The differentiator however, was the ability to chain the systems together (instead of offline systems like the Pineapple). There are some interesting applications of the approach - both good and bad; an it was certainly an interesting discussion.

Simeon Miteff's talk on the security challenges on very high speed networks was quite interesting, especially as it has applicability beyond the research network into modern datacentres. I think the solution is really in segregation - not all connectivity is high speed, and it may be better to focus on the interconnects to slower networks and not focus on securing the high speed networks.

Ross Simpson's talk on hacking games focused a lot on memory hacks; but the discussion point was really in client side validation. Whenever the system does client side validation, these values are stored in memory, and thus potentially can be bypassed. What was particular interesting, is that some very popular modern games (examples were shown on iOS) that use a client-server model can be exploited because they use client side validation. It is true that ioS memory hacks for client-server applications would need jail breaking, but there are some interesting attacks exploiting save files on the device that can work on non jailbroken devices.

Andrew MacPherson's talk on physical access control vulnerabilities was amazing. Starting with the traditional locks and lockpicking, the really cools stuff were the demos on magstripes (with a good background on magstripes) and RFID tags. One of the most impressive talks, especially given the widespread use of magstripes as RFID tags - not only for access control but for all sorts of other uses.

Jacques Louw's talk on using software defined radios for attacks was a continuation of the radio theme. The bulk of the talk was rehashing theory from a long time ago, but the application to utility meters and GSM was very cool (and frightening, when considering the social impact for smart metering).

Schalk Heunis' talk was different, focusing on home alarm systems; and reverse engineering the system using Audrino. While there are attack perspective; there are very cool implications for home automation. The House4Hack team have some interesting work in this regard.

Most Dangerous Cities in the World

A Mexican think tank, as released a study on the most dangerous cities in the world, and Johannesburg is on no 50 on the list. The data is compiled from crime statistics from 2011, although it seems that murder rate per capita is the key determinant. A short story on the list, in English is available on BusinessInsider.

It is interesting that so few countries make contributions to the list, and all but two of those countries are in the Americas. These lists are off course influenced by the availability of data, and I do think it will change if more crimes are taken into account.

I thought that the crime rate could potentially be linked to the Gini index - which looks at the degree of income equality in the world (full list here). While there is some link - it is certainly not a high degree of correlation. Southern African countries dominate in terms of income inequality, but only South Africa has a reputation for high crime rates.

Country	No. of Cities	Gini Index (Inequality)
Brazil	14	16
Colombia	5	10
El Salvador	1	34
Guatemala	1	11
Honduras	2	9
Iraq	1	n/a
Jamaica	1	42
Mexico	12	18
Panama	1	17
Puerto Rico	1	n/a
South Africa	4	2
USA	4	43
Venezuela	3	71

Google's Datacentres

Wired has some amazing articles on Google's datacentres and the computing power behind it all. 

http://www.wired.com/wiredenterprise/2012/10/ff-inside-google-data-center/all/

http://www.wired.com/wiredenterprise/2012/08/google-as-xerox-parc/all/ 

Very interesting reading!

Melting Pot

It had been a long time since my previous visit to London - about 6 years I think. The Olympics hasn't really changed the city - other than the remnants on the billboards. It remains old and grimy in some places; and new and shiny in others. It is a testament to the sheer longevity of the city.

One thing that has noticeably changed, is that it is an even bigger melting pot. The high volume of Indian immigrants is well known, but it is only in this trip that I noticed all the other shades of accents - the Polish (or some other Eastern European) receptionist, the Caribbean assistant at the Tube station, various main stream European languages, Chinese, Malay etc. And these aren't even the tourists. 

I still don't like the weather, but I do love the melting pot.

Movie: Haywire

It is a spy/action thriller featuring some top notch actors in Michael Fassbender, Ewan McGregor, Michael Douglas and Antonio Banderas, about on a female mercenary who is framed by her employer. It's a nice story, with a fairly realistic story (no amazing gadgets, people get hurt it fights) but nothing spectacular.

Movie: Father of Invention

It has been a while since I have watched a movie featuring Kevin Spacey. The movie features a successful inventor (who makes money from infomercials) who has just got out of prison. It is partly a story about his search to reclaim his mojo as a inventor; but ultimately it becomes a feel good soppy movie about family values. The brilliance of Usual Suspects this ain't.

For the Lack of a Conductor

The Heathrow connect from London made a surprising, last minute cancelation and stopped the station before the airport. At this point there were three options, take the next train, take the bus or take a taxi. The latter two options wouldn't be supported by the train company; and the last minute change was very perplexing.

It was particularly perplexing that the options were not communicated by the train drivers or the station; but rather by a young apprentice of the train company who had just got off and similarly inconvenienced. Apparently, the cause of the delay - the lack of a conductor to check tickets; apparently a requirement for all Heathrow trains. And even more alarming - this is not an irregular occurrence; but something that is quite frequent (the missing conductor and thus the cancelation of a train). Apparently, this is most frequent on early morning trains to and from Heathrow.

So, if you don't have 30 minutes to spare waiting for the next train (and are willing to pay double); get the express. The affliction of missing conductors apparently does not affect the express.

Hacking Virtual Worlds

Jason Hart had a brilliant talk on different techniques to hack virtual worlds. His key message was, as virtualization had taken off, the CIA principles for security have been completely ignored and many of the old vulnerabilities have not only resurfaced; they are even easier to exploit.

Not all of the talk was specifically focused on cloud. Using a Pineapple he showed how easy it is to intercept and decode passwords (even when they are encrypted). After that, accessing systems, virtual or not, is not a big issue.

But his attack techniques on virtualization platforms were the most illuminating - from accessing VMWare's vCenter via cracking the MD5 password; to exploiting the fact that robot.txt files aren't respected in public cloud services (and thus susceptible to google hacking).

It was not a failure of technology (although the Pineapple did exploit protocol weaknesses), but failure to follow basic principles.

Active Defense

Another buzzword at the conference is Active Defense. Introduced by Francis deSouza in his keynote on day 1, it is based on the idea that wars are not only won by defending, but also by attacking and eliminating threats. The concept is off course controversial and the legal, technical and ethical challenges have been raised by a number of latter speakers.

This morning, Josh Corman raised the idea of resurrecting Letters of Marque as a means of regulating active defense. I am not convinced that this approach will solve the legal and ethical challenges.

Letters of Marque, were granted by European monarchs to sanction specific pirates and allow them to carry out their piracy (usually as long as it was not in their backyard). Effectively, it was state sanctioned criminals; and the idea to enable Letters of Marque for cyber attacks will open a Pandora's box.

Josh Corman's HD Moore's Law

Since yesterday's keynote by Josh Corman, HD Moore's Law has become some sort of a mantra by the other speakers at the conference.

It's a brilliant argument; instead of focusing on compliance as a minimum baseline, the minimum baseline should be, can you get compromised by default/basic settings of Metasploit? The ease of use of Metasploit and since its widely available, it makes it an easily exploited attack vector. It also aligns to the US RSA Conference talk on metrics that commented that the basic metric of security is "hackability", or how easy is it to hack you.

Live RAT Dissection

Uri Fleyder (RSA) and Uri Rivner (Biocatch)'s presentation yesterday on the use of remote administration tools, coupled with "man in the browser" attacks is probably the most alarming threat exploitation I have seen recently. 

The attack first exploits browser vulnerabilities through drive-by-downloads to infect the target machine. I suppose a drive-by-download is not even necessary - other vectors could also be exploited. Once the target machine is infected, the attacker can make use of a remote administration tool (RAT) to carry out an attack using the target machine. Through the use of "man in the browser" attack, the attacker intercepts browser activities, such as banking (or e-commerce or any other activity), and thus can not only capture data in realtime but can also take control over the browser and show false messages (such as longer login times, false redirections etc). 

The beauty of this attack, is that the attack is completely out of the target user's machine, and tokens are actually also compromised in this attack (through the use of redirections). And there are very few countermeasures ...

RSA Conference Europe: Day 1 Keynotes

There was an overall theme to the first three keynotes - a need to change the security models from (perimeter) defense based to "intelligence based" model. Art Coviello (Chairman, RSA) introduced the theme, with a focus on changing security to be more agile, contextual, risk based and the need to share and analyse information on scale.

Tom Heisner (President, RSA) followed expanding the themes, with an insightful comment on the Moore's law equivalence in security; the cost of attacks have reduced while the complexity of attacks have increased. Both speakers were hugely critical of compliance based regulatory regimes which are sometimes contradictory, and often provide a false sense of security.

Francis deSouza (Symantec) followed the theme with a focus on the need to be more "militaristic" in IT security. His argument was that you can't win a battle on purely defense, and security strategies and solutions need to consider the whole campaign and not just point vectors. In this regard, defense mechanisms also need to be "great" and not just good to be effective.

Adrienne Hall (Microsoft GM for trustworthy computing) focused mainly on cloud adoption, though was a bit out of sync on the earlier theme. Hugh Thompson, was also out of sync, but did raise a different perspective - security solutions currently are a "one size fits all" solution, and are not catered for individuals, so are either too complex or too simple; and are basically both ineffective. To create a security profile that is really personalized will be difficult, but would be a very interesting approach in becoming more secure.

Chill Man

I caught the slower train from Heathrow to Paddington, which stops at a few local stations along the way. It was surprisingly quick to clear immigrations (last experience at Heathrow, over an hour, yesterday 5 minutes), so I had some time before I could check in to my hotel.

The first stop after Heathrow, two heavily tattooed men dressed in tatty clothes got on, and hung by the door. Shortly thereafter, the conductor came through checking tickets, which these men didn't have. I was quite surprised, as were the two men, on the conductor's reaction. After a hushed (but still audible) chat on why they didn't have tickets, the conductor simply asked the two men to take a seat and relax. The men were so startled, that the conductor had to repeat himself, "chill man".

I am not sure why this small incident should stick in my mind ... are these instances of understanding officialdom so rare?

Symphonic Rocks 2012

The second year in Jo'burg wasn't as well attended, with a number of free seats. Carnival City, as a venue probably contributes to that, but the crowd did seem a lot more diverse than last year. The combination of the 65 piece Cape Town Pops Orchestra and leading SA pop/rock artists is not only great music, but as Ard Matthews put it so eloquently, a great way to preserve a dying art, an contribute to enhancing our culture.

After a short overture, aKing started the proceedings in rocking style with two of their popular radio hits. It was a good start, though the next singer ChianoSky, didn't continue the momentum. Her dance hits for well with the orchestration, but her squeaky voice just irritated me.

A noticably slimmer Zolani Mahola (of Freshlyground fame) was the best performer of the first half, getting great applause and support from the crowd, and there was even dancing in the stands! Freshlyground's music lends itself to orchestration, and I think it would be great if they released a full album backed by an orchestra!

Van Coke Cartel's Afrikaans metal worked with the orchestra, although at times the electric guitar riffs did overpower the orchestra. They kept the energy going, into the next act, Toya Delazy, whose dance pop hits were more well suited for the orchestra.

Ed Matthews confessed to being a "soppy rocker", and belted out two of his solo love ballads followed by the classic "What he means", which seemed to get the whole audience singing. Tumi & The Volume closed the first half, though I found his voice to be overpowered by the instruments.

The second half started with a medley of theme songs from James Bond franchise (cleverly following a Heineken ad featuring Daniel Craig); which got a rousing applause from the audience. Andy Mac, the organizer behind Symphonic Rocks was next with his band Macstanley. Andy makes a good MC (better than the actual MC) and did a good job in introducing everyone on the stage (and the credit for being the head honcho). I haven't really been a fan of Macstanley (or Flat Stanley in their previous incarnation) and they were certainly blown away by the acts that followed.

Fokofpolisiekar should make a symphonic Afrikaans metal album. More than anyone else in the show, their ballads were perfectly pitched with the orchestra and was a truly amazing result. Their standard, "Hemel op die Plateland"was amazing with the symphony and got everyone headbanging.

Multi SAMA winner Zahara was next, and the success of the show was evident in how all the headbangers just switched to jiving along. She has an amazing voice, and it was a great to see her perform live.

Mi Casa played an interesting set, where there didn't seem to be any break between the songs (as would be expected from a electro-dance group). The trumpet playing of Mo-T was impressive, and fitted well into the arrangements.

Ed Rowland, the lead singer of Collective Soul was the last performer. I have seen Collective Soul before, but I am not really acquainted with their music. It was a great performance and a fitting end to the show.

As a final comment, perhaps future shows should consider reducing the number of artists in favor of giving them longer sets. And move the show closer!

Movie: Beasts of the Southern Wild

It is a strange movie - but one with an incredible imagination, and absolutely stunning acting performances; and a moral story about the devastating impact of climate change. Set in a poor community near New Orleans, the story revolves around a young girl, Hushpuppy, her eccentric father who is trying to teach her how to survive and some strange events that take place during, what seems to be a hurricane. I don't think I really understood some part of the story (like the aurochs), but the acting performances were incredible.